Hi Steven Winderlich,
IP being on an abused and misused server at Cloudflare ->
http://support.clean-mx.com/clean-mx/viruses.php?ns2=greg.ns.cloudflare.com&sort=email%20asc&response=aliveAlso clear on detetcion is Sucuri's:
http://sitecheck.sucuri.net/results/www.b.ing-forward.comSee:
http://toolbar.netcraft.com/site_report?url=http://www.b.ing-forward.com risk rating 10/10 all red!
Everything fine here:
http://dnscheck.pingdom.com/?domain=ing-forward.com×tamp=1398287558&view=1But errors and delegation problems starting for the subdomain:
http://dnscheck.pingdom.com/?domain=b.ing-forward.com×tamp=1398287657&view=1Not enough nameserver information was found to test the zone b.ing-forward.com, but an IP address lookup succeeded in spite of that.
Looks like a zone-forward attack took place there
Code: 302, htxp://tr.im (a conditional redirect found)
Redirect to external server! (using trim url shortener)
See:
http://fetch.scritch.org/%2Bfetch/?url=b.ing-forward.com&useragent=Fetch+useragent&accept_encoding=Malicious as given here: hxtp://b.ing-forward.com redirects to htxp://tr.im
DrWeb;s URL checker flags it.
htxp://tr.im is in Dr.Web malicious sites list!
Checking: htxp://tr.im///trim-assets.s3.amazonaws.com/assets/application-6fe0be6a67a5badc99020c120434a6c7.js
File size: 7485 bytes
File MD5: 1dd6654ed7e60462d63b8e9409d23283
htxp://tr.im///trim-assets.s3.amazonaws.com/assets/application-6fe0be6a67a5badc99020c120434a6c7.js - archive JS-HTML
>htxp://tr.im///trim-assets.s3.amazonaws.com/assets/application-6fe0be6a67a5badc99020c120434a6c7.js/JSTAG_1[17a][4d] - Ok
>htxp://tr.im///trim-assets.s3.amazonaws.com/assets/application-6fe0be6a67a5badc99020c120434a6c7.js/JSTAG_2[722][43] - Ok
>htxp://tr.im///trim-assets.s3.amazonaws.com/assets/application-6fe0be6a67a5badc99020c120434a6c7.js/JSTAG_3[1855][2a3] - Ok
>htxp://tr.im///trim-assets.s3.amazonaws.com/assets/application-6fe0be6a67a5badc99020c120434a6c7.js/JSTAG_4[1b21][203] - Ok
htxp://tr.im///trim-assets.s3.amazonaws.com/assets/application-6fe0be6a67a5badc99020c120434a6c7.js - Ok *
Checking: htxp://tr.im
Engine version: 7.0.9.4080
Total virus-finding records: 5141003
File size: 7817 bytes
File MD5: 6be4d3b17491d0fdadf701622da6fea5
htxp://tr.im - archive JS-HTML
>htxp://tr.im/JSTAG_1[17a][4d] - Ok
>htxp://tr.im/JSTAG_2[722][43] - Ok
>htxp://tr.im/JSTAG_3[19a4][2a3] - Ok
>ht\xp://tr.im/JSTAG_4[1c70][200] - Ok
htxp://tr.im - Ok
* could have been abused by ET DROP Spamhaus DROP Listed Traffic Inbound group 13 and/or ET RBN Known Russian Business Network IP group 76
pol